Main menu

BIG DATA

Rollout: Prism EventTracker Log Management System

We put version 6.0 of EventTracker to the test and found it on par with rivals in ease of use, and ahead in scalability.

Collect it. Mine it. Report on it. Those are the key functions of log data analysis, and Prism Microsystems eases them all with version 6.0 of its EventTracker log manager. New features include a distributed collection architecture to enable use in geographically dispersed organizations, advanced data mining and report generation, and support for XML and Windows 2003 event formats.

We tested EventTracker in our Syracuse University labs and came away impressed; Prism's entry is on par with log management and analysis products we've tested from LogLogic, Q1 Labs, and Splunk.

Some features are impressively simple. Take agent deployment on Windows servers--just find hosts, point, click, and shoot. The agent installs and starts sending events back to the collector. Adding syslog hosts is just as easy.

Distributed event log collectors, called collection points, are EventTracker servers that forward events to a master collection server on a schedule. Event files are compressed, reducing the data transmitted over a WAN. And because EventTracker is licensed by the number of reporting servers, not by collector or management station, you can build your log collection system as needed without worrying about increasing costs.

THE UPSHOT

CLAIM:
Log management and analysis
are underutilized because the only
thing more complex than getting data
into the log manager is extracting
meaningful information for mining and
reporting. Fortunately, EventTracker
simplifies both processes.

CONTEXT:
Log retention is required
for companies in regulated industries,
and if you’re going to collect data, you
may as well mine it. In response, vendors
including LogLogic, LogRhythm,
Prism, Q1 Labs, and Splunk are adding
mining and reporting features

CREDIBILITY:
EventTracker lives up
to its ease-of-use claims. Reporting,
mining, and search refinement are simpler
than with other log management
products, though Splunk’s keyword
searching is still tops. Prism’s distributed
architecture is a big plus.

To filter the events sent to our master collector, we configured agents to send specific notifications, like Windows security events, to a designated collector, which would then forward select events to the master. We could also manage and data mine directly on EventTracker collection points.

With events streaming in, we started digging into the system's search and reporting capabilities. The new UI has a similar look and feel to the Microsoft Management Console, making it a familiar interface for Windows administrators. Clicking on hosts, groups, or event types narrowed events to just that selection. It's a great capability--if you know what you're looking for.

ADVANCED FORENSICS

Splunk set the bar for intuitive, free-form keyword searching, and LogLogic hasn't kept pace. EventTracker, like Q1 Labs' SLIM, is focused more on reporting and defined queries rather than intuitive searches. For example, to find a particular DHCP event, we needed to start a search for all DHCP events over a period of time and then refine our parameters. Prism calls this process "advanced forensics," digging within search results using regular expressions and keywords in a separate dialog box. However, we could refine only once. If we wanted to continue to narrow our search, we would have to re-enter the refinement each time.

One of the most useful features of EventTracker is Prism's integrated event knowledge base. For every event that it recognizes, EventTracker provides useful descriptions and other resources so you can understand what an event means. Prism's knowledge base is open to the public, but integration in EventTracker is a nice touch.

Reporting is useful to show that active monitoring is being performed. We could run reports on an on-demand or scheduled basis, and 6.0 ships with some predefined reports for operations, security events, and regulatory compliance. Simply select the type, add target hosts, create filters such as searching for particular users, and off you go. Administrators can be notified of reports via e-mail or RSS feed.

EventTracker 6.0 represents a strong balance between log aggregation and data mining. A setup with 50 monitored servers runs $15,000, including all modules.